Disaster Recovery

According to latest research from AT&T the answer are:

• Nearly 30 percent of U.S. businesses don't consider business continuity planning a priority.
• Two-thirds of IT executives predict that hacking will be the biggest threat in the next five years.
• The next most frequently mentioned threats are internal:
  Accidents — 56 percent
  Sabotage — 47 percent
  Remote workers — 44 percent

There is a propensity for the leader of every business unit to have an inflated sense of the criticality of the systems, services and contribution of their area. In order to sort out the priorities it is necessary to determine a level of assurance that is appropriate. An organized, defined set of assurance levels can be developed in terms of the following five standards, with a rough correspondence to maximum tolerable outages:

1. Platinum (five stars) – maximum tolerable outage less than hours;
2. Gold (four stars) – maximum tolerable outage up to one day;
3. Silver (three stars) – maximum tolerable outage up to one week;
4. Bronze (two stars) – maximum tolerable outage up to one month;
5. No standard – no defined tolerable outage.

1. Meet with everyone in your household and discuss the types of disasters that are most likely to occur in your area. Work together to decide what to do in each case. Write your plan down on paper, and keep it in your family files.
2. Since disasters often strike entire communities rather than just a single home, share your plan with neighbors and encourage them to develop their own plan. Share your plan with family members or friends living outside your town.
3. Select two places to meet if an emergency strikes. In case of sudden emergencies, such as a fire, pick a spot in the neighborhood outside your home. In a widespread emergency when you can't get back home, pick a spot outside your neighborhood. Make sure everyone knows the address and phone number.

There are nine type of IT Disaster that could be happen every day in IT environment, from user error to hardware failure. This article discussed how IT Disaster happened and how we could prepare against this matter. The original list taken from Unix Backup and Recovery by W. Curtis Preston

1. User error

This has been, by far, the biggest percentage of restores in every environment that I have seen. "Hey, I was sklocking my flambality file, and I accidentally pressed the jankle button. Can you restore it, please?" This one is pretty easy, right? What about the common question: "Can you restore it as of about an hour ago?"

2. System-staff error

This is less common than user error (unless your users have root), but when it happens, oh boy, does it happen! What happens when you newfs your Informix raw device or delete a user's home directory? These restores need to go really fast, since they're your fault. As far as protecting yourself from this type of error, the same is true here as for user errors-either typical nightly backups or snapshots can protect you from this.

3. Hardware failure

Most books talk about protecting yourself from hardware failure, but they usually don't mention that hardware failure can come in two forms: disk drive failure and system-wide failure. It is important to mention this, because it takes two entirely different methods to protect yourself from these failures. Many people do not take this into consideration when planning their data protection plan.

New ISO/IEC 24762:2008 provides guidance on:

• Implementing, operating, monitoring and maintaining the necessary facilities and services necessary for disaster recovery.
• Fallback and recovery support for the organization’s ICT systems.
• The capabilities which outsourced ICT disaster recovery service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate the organizations' recovery efforts.
• The selection of a recovery site (e.g. considering factors such as environmental stability, good infrastructure, etc.), and
• Requirements for ICT DR service providers to continuously improve their ICT DR services.

view standard here

How to develop Disaster Recovery Plan for your company? This simple guidance from W. Curtis Preston in his book Unix Backup and Recovery tell us six step to develop Disaster Recovery Plan. Here is the list.

1. Define (un)acceptable loss / Risk Assessment

“…Before you develop a disaster recovery plan, decide how much you will lose if you don't. That will help you decide how much time, effort, and money to spend on a disaster/recovery plan…”

Curtis give pressure on define unacceptable loss, or in the other ways perform a Risk Assessment for entire scenario. As we know that risk could be transferred (insurance), mitigated (by control it) or even accept the risk.

2. Back up everything.

“…You have to make sure that everything is backed up-including data, metadata, and the instructions you'll need to get them back…”

Curtis said to backup everything, (as long as you can have it), the basic principle is we could protect any kind of asset that we have.

3. Organize everything.

You have everything on backup volumes. But can you find the volume you need when disaster strikes? The key to being able to find your backups is organization.

During business impact analysis, IS auditor should make an regular analysis with each environmental exposures such as earthquake. And here is the list
Top 10 deadliest earthquake in the world

I hate the (incompetent) IS auditor, here is the story. One day your external auditor from big 4 audit firm come checking your IT system. This guy, discuss some issue with executive level within your company. This text book auditor then asks you to prepare any document or plan in case of disaster or incident. You, in charge in IT department then asking question to the auditor.
“Can you explain more detail what type of document? Since I’m little bit confuse with your jargon of BCP, DRP, COOP what is the difference?”

And here is the explanation, theoretically, according to NIST-SP 800-34 standard, you must prepare:

1. Business Continuity Plan (BCP)

Purpose: Provide procedures for sustaining essential business operations while recovering from a significant disruption
Scope: Addresses business processes; IT addressed based only on its support for business process

2. Business Recovery (or Resumption) Plan (BRP)

Purpose: Provide procedures for recovering business operations immediately following a disaster
Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for business process